Email is everywhere, and it’s not going away anytime soon. Social media, texting, and other forms of electronic communication have had an important and notable rise recently, but about half of the world now uses email, and that figure is increasing. In medicine, approximately 50% of patients either use or want to use email to contact their healthcare providers, and about a third of clinics are actually making it possible for them to do so.

Email, however, was invented well before either HIPAA or our society’s modern appreciation for the importance of strong online security. Because of this, in its most basic and typical form, email has no credible controls to ensure sender and recipient identity, to protect message integrity, or, perhaps most importantly, to prevent third-party snooping. These deficiencies intersect particularly poorly with the legal and ethical demands on healthcare communication, which turns the situation into a powder keg.

In short, email in medicine can be a HIPAA disaster. But it doesn’t have to be.

Let’s talk about the problem and what you can do to solve it.

What HIPAA Compliance Demands from Email

If your healthcare activities are covered by HIPAA and you want to use email to store or transmit protected health information (PHI), then two important sections of the HIPAA regulations will apply to you: the Privacy Rule and the Security Rule.

We’ve discussed these rules before in more detail, but the one-sentence summary is that the Privacy Rule governs how all PHI must be treated, while the Security Rule provides additional regulations for PHI that is in electronic form (ePHI).

The HIPAA Privacy Rule and email

When it comes to email and the HIPAA Privacy rule, the U.S. Department of Health and Human Services (HHS), which administers HIPAA, has actually weighed in with specific guidance. Here’s a snippet of their position:

Does the HIPAA Privacy Rule permit health care providers to use e-mail to discuss health issues and treatment with their patients?

Yes. The Privacy Rule allows covered health care providers to communicate electronically, such as through e-mail, with their patients, provided they apply reasonable safeguards when doing so. See 45 C.F.R. § 164.530(c).

Sounds like great news! For reference, the 45 CFR § 164.530(c) that they referenced is just a citation for a section of the actual HIPAA regulations, and it simply requires that you “have in place appropriate administrative, technical, and physical safeguards to protect the privacy of protected health information.”

Of course, when it comes to email, the definition of an “appropriate technical safeguard” becomes important. HHS weighs in on this, as well:

Covered entities will want to ensure that any transmission of electronic protected health information is in compliance with the HIPAA Security Rule requirements at 45 C.F.R. Part 164, Subpart C.

So that brings us to the Security Rule…

The HIPAA Security Rule and email

The 45 CFR Part 164, Subpart C, which HHS referenced above is actually quite long and contains many of the foundational aspects of the HIPAA Security Rule. Instead of going through all of it, we’re going to assume that you already have a functioning HIPAA compliance program in place, and we’ll spend this section highlighting just a few key regulations that are especially important when it comes to email. If you need a more thorough rundown on the Security Rule first, check out our earlier complete guide to HIPAA compliance.

Within the Security Rule, much of the important technical guidance shows up in 45 CFR § 164.312, a section on “technical safeguards.” Let’s take an abridged look at some of this section’s requirements as they apply to email:

Access controlOnly those people with appropriate access rights should be able to access ePHI. This means that you should use strict security measures for your email account, including a strong password and two-factor authentication. However, you should also consider this requirement as it applies to emails once they leave your email provider’s server and travel across the Internet; if they are unencrypted, then you can’t control access to them as they pass through other servers.

Unique user identification and identity verificationUsers on systems with ePHI must be uniquely identified, and their identities must be verifiable. This means no shared logins for email accounts, and it also means that the identity of every person sending or receiving ePHI should be verifiable. Basic email does not have sender or recipient identity verification capabilities.

Data integritySystems must protect ePHI from improper alteration or destruction, both at rest and in transit. Technical measures to guard against data loss or corruption need to be in place, and basic email does not include integrity controls.

Encryption and decryptionA mechanism should be used to encrypt and decrypt ePHI. Basic email does not employ encryption.

Transmission securityTechnical measures must guard against unauthorized access to ePHI that is being transmitted. Basic email transmission protocols include no guarantee of secure transit.

You can use email securely and still remain compliant with HIPAA. Here are seven tips for securely using email in a HIPAA-compliant organization.

1) Get consent

Get a patient’s written consent before sending them email. A good email consent form will explain the risks of communicating via email, explain how and why you’ll use email, explain how patients should safeguard their computer, and get the patient’s signature. Search the internet for “email consent form” to find lots of templates you adapt. It also can’t hurt to have your lawyer review the form before you start using it.

Do something with the patient’s consent.

Write a procedure for staff to follow when handling consent forms that patients fill out. This is important for two reasons: (1) It’s the only way to be sure that you’re actually honoring the patient’s wishes about email communication, and (2) If you are ever audited or experience a security breach, it will be important to have a written procedure as evidence to prove that you’re handling email securely.

2) Policy: define what staff are allowed to do with email.

Your policy should define which email addresses and devices should be used to send PHI, what information should never be sent via email (e.g., mental health and substance abuse info), and who they are allowed to email (patients, other providers, etc.).

3) Have a privacy statement at the end of emails.

A privacy statement should be automatically appended to the end of every outgoing email. Your statement reminds recipients that email is inherently insecure, states that the email is privileged and confidential, and tells the recipient who to contact if they are not the right person. Speak with your email / IT provider – they should be able to set this up for you.

4) Say yes to Business Associate Agreements.

HIPAA Business Associate Agreements are required under HIPAA. Don’t use an email provider who refuses to sign HIPAA Business Associate agreements for your medical practice. Paid Google and Office365 services will sign such an agreement. Free services like free Gmail, Yahoo Mail, Hotmail/Outlook.com won’t.

5) Say no to any company that won’t sign a BAA.

Companies will give you all sorts of reasons as to why they won’t sign a Business Associate agreement. Here are a few that we’ve heard:

“Our lawyers say we don’t need one.”

“We never open your emails, so we’re not a Business Associate.”

“None of our thousands of customers have ever asked us to do that.”

“We’re a ‘conduit’, not a business associate.”

These are all nonsense. There are plenty of providers out there who are willing to sign a Business Associate agreement. If a vendor’s not, you’re either speaking to the wrong person within the company, or there’s a reason that they won’t. Walk away and go find a vendor that knows how to support healthcare organizations.

6) Encrypt email with PHI or PII.

Let’s say you’re emailing a patient with the results of a lab test. You need to be as sure as can be that your patient is actually sitting at the computer when that email is opened AND that nobody else read the email in between your computer and theirs.

Using a secure email gives you that level of assurance – the message is encrypted when it leaves your computer, and can’t be read by anyone except your patient who has a password that only she or he knows. That means anyone trying to read it along the way will only see nonsense.

7) Better yet, automatically encrypt any sensitive email.

The best systems will automatically read your email on the way out, look for sensitive terms (like social security numbers, diagnoses like “diabetes,” medication names like “Zoloft,” etc.), and automatically send these encrypted and securely. These systems are great because they remove the chance of making mistakes – emails to your spouse about dinner plans are sent normally, but emails about patients, treatments, diagnoses, and lab tests are sent securely.

Sharing your scoops to your social media accounts is a must to distribute your curated content. Not only will it drive traffic and leads through your content, but it will help show your expertise with your followers.

Integrating your curated content to your website or blog will allow you to increase your website visitors’ engagement, boost SEO and acquire new visitors. By redirecting your social media traffic to your website, Scoop.it will also help you generate more qualified traffic and leads from your curation work.

Distributing your curated content through a newsletter is a great way to nurture and engage your email subscribers will developing your traffic and visibility.
Creating engaging newsletters with your curated content is really easy.